Network Access Control For IOT Devices!

By Steve Cromie, Enterprise Architect

The recent ransomware attack on the Colonial Pipeline got me thinking about how important it is for companies to identify what types of devices are connected to the network and to provide secure access to the network for the devices that are allowed on the network. Internet Of Things (IOT) devices are devices that provide some sort of service that is generally automated and requires network access to send data to other devices, applications, or services on the internet. Building automation systems like lighting systems, thermostats, and security systems are good examples. Even vending machines these days have embedded systems to process credit card transactions. These IOT devices are generally not developed with security in mind, so the onus is on the network administrators to develop strategy that will control network access of these devices.

Network Access Control or NAC is being used more and more in today’s networks to provide a “Zero Trust Security Posture. See our blog by Mitchell Hurd on this topic. NAC is the set of tools, processes and protocols that govern access to network-connected resources. It involves access control solutions for different types of resources, including conventional computers, printers, tablets, smart phones and IP phones. NAC can also be used for devices that may not be easily identified like IoT devices.

Network Access Control For Wired Networks

While access to wireless networks is typically secured using protocols like WPA2 and the most recent and more secure WPA3, wired networks often have no such controls in place. They often assign an IP address via DHCP and give full connectivity to any device that is plugged in. This approach is convenient because it eliminates the need to manage access credentials for wired devices and users. And manually configuring network switches for all the different access that can be required is very time consuming. Organizations generally assume that the security risks are low for wired devices because only users with physical access to their infrastructure can plug in devices. The reality is, that unsecured wired networks are prime vectors for shadow devices to enter an organization’s infrastructure.

Ability To Establish Policies For Devices

Unmanaged, non-user devices, such as IoT hardware, often rely on special communications protocols that are not supported by standard NAC authentication policies or tools. Because of this challenge, organizations end up choosing to grant access to the IoT devices with an exception to the NAC rules. Network administrators either don’t have the necessary tools to identify and build policies for the IoT devices, or don’t have the time or resources. Establishing NAC policies for wired devices including IoT devices can be a big project for an organization.

NAC for IoT

Identifying, fingerprinting and monitoring devices that are connecting to the network requires a NAC system that can detect devices that are connecting to the network, and dynamically send the correct policy to the network switch. On IoT networks that may include hundreds or thousands of devices, NAC helps to manage inventory so that organizations have continuous visibility into which IoT devices exist and when they go online and offline. In addition, NAC tools allow teams to “lock down” IoT devices by enforcing a policy of least privilege or blocking devices from the internal network until they meet the criteria of the organization’s security policy.

Conclusion

A comprehensive NAC solution that covers devices that connect to the network either via a wireless connection or wired connection is critical to secure all networked resources for any organization to establish a “Zero Trust Security Posture”. IoT devices can be a challenge due to the ubiquity of devices, and their lack of authentication protocols. A NAC solution that can identify all devices that are connecting to the network and has the ability to profile the devices to ensure it is not a “spoofed” device and can dynamically send policy configuration to the network switches for secure access is something that all organizations should be considering these days. A comprehensive NAC solution could help prevent the proliferation of a malware or ransomware attack on an organization’s infrastructure.

If you have any questions regarding IOT devices or would like to see a deeper dive on NAC solutions, please reach out us by going to our Contact Us page.